The Security Mentor

Advice for normal people about computer and information security from Beryllium Sphere(R) LLC

Friday, June 30, 2006

Stop worms before your antivirus knows about them

Someone's taken an idea that I'd daydreamed about and made a product out of it. Intrinsic Security sells an appliance called the "Firebreak Antiworm" which looks out for software indiscriminately probing your network and gets in its way. As a result it reacts almost instantly, without the wait for an antivirus firm to ship you new definitions.

The way it works, if you're curious, is by watching network addresses that you own but don't use. There's no sane or legitimate reason for any other system on the Internet to try to talk to one of those addresses, but worms often try every possible network address, like telemarketers dialing every phone number in an exchange. Imagine putting a dummy number on your PBX and programming your PBX to block any caller who tries to ring that number. Same idea, only it works better on the Internet because computers don't dial wrong numbers.

On the downside, network worms like Slammer seem to be getting less important over time, I haven't tested the unit, and I'm having trouble finding anyone who has. I'd also be happier if I could find a price on their web site.

Tuesday, June 27, 2006

NYU School of Law and experts study voting machines

The Brennan Center for Justice together with nationally known security experts, specialists from the National Institute for Standards and Technology, Lawrence Livermore, and major universities did a study of electronic voting machines.

Their conclusions were unanimous and scathing. Here are a few highlights.

all three of the nation’s most commonly purchased electronic voting systems are vulnerable to software attacks that could threaten the integrity of a state or national election

and

All of the most commonly purchased electronic voting systems have significant security and reliability vulnerabilities

and

The report called into question basic assumptions of many election officials by finding that the systems in 14 states using voter-verified paper records but doing so without requiring automatic audits are of “questionable security value.”

and

The vast majority of states have not implemented election procedures or countermeasures to detect a software attack even though the most troubling vulnerabilities of each system can be substantially remedied.

What you can do is to bend the ear of your local officials and make sure they realize the public cares about getting voting machines that are at least as auditable as ATMs, and at least as carefully certified as gambling machines. Today they're not even close. You might also call your Congressperson and ask for a yes vote on H.R. 550, national legislation to fix some of the worse problems.

Sunday, June 25, 2006

Protect your Social Security number? Good luck!

I visited a new doctor. They gave me the usual intake forms. There was a space for entering my Social Security number. I began to brace for a fight but noticed that there was not a space for my insurance ID. I knew they would need that. I asked if maybe it was an old form from back in the days when insurance companies used SSNs to identify patients. The staff said yes, I should fill in the insurance subscriber number in the blank for the SSN.

Good all around. The insurance company and the doctor's staff were both careful and responsible.

Then I got out, they printed out the receipt for the work, and it had printed on it the SSN that they'd never asked for and I'd never given. I said something like "Please don't panic, I'm asking out of curiosity, but do you know where the number you never asked for and that I never gave you came from?". They didn't know. One of them started to white out the SSN, but I assured her that she didn't have to do that on the copy that I was taking home with me. I did appreciate the thought.

If SSNs are appearing out of thin air even when nobody wants them, any financial institution that treats them as proof of anything is being a fool.

Saturday, June 24, 2006

Anti-terrorist security: how eavesdropping would likely work

The people in government who want to conduct mass wiretapping say that we need to decide the tradeoff between privacy and security. By implication, they say they are offering security.

They'll start with an unimaginable load of data, apply sophisticated computer programs, filter the output through their common sense, and then take action to improve our safety. Right?

The Department of Homeland Security parcels out grants for anti-terrorist programs based on "a powerful new matrix that crunches millions of bits of data to figure out where money is most needed". At the end of that, the government presumably applies their common sense. What was the result? They cut New York City's anti-terrorist security funding almost in half. NYC, you see, has no "icons" or "national monuments" according to the government.

So now we know what happens when large amounts of data hit government common sense. We know that security actually goes down as a result.

The government says we have to choose between safety and privacy. Wrong, because they are not offering us safety.

But how do you tell good software from booby traps?

"Booby trap" might be exactly the right word for "Browsezilla", a web browser that's supposed to protect your privacy by not storing records of your online activities, but which spends its spare time going to porn sites and clicking on ads (many advertisers pay per click: software that clicks automatically is a common kind of fraud).

Of course, if you try this at work, your employer's monitoring software will see lots of access to "adult" content from your computer. Bad news.

So how do you tell it from Mozilla, a reputable and secure free product? "Browsezilla" sure sounds like a specialized version of Mozilla.

It's not a sure thing, but you can get clues from where you found a program and who's pushing it. If you heard about it in spam, it's a scam. If it's on a shady web site, don't download it. The download page for Browsezilla has hardcore porn links. You can try waiting for favorable reviews in the press or you can check sites like spywarewarrior.com to see if it's a known piece of malware.

Oh, just to be fair, here's the denial from Browsezilla:

"Thanks for references. There the full delirium is written. Yes, Browsezilla has unchangeable starting page http://browsezilla.org on which there is an advertising. It is More than anything. We shall contact manufacturers anti-virus ON for finding-out,"

Friday, June 23, 2006

Fiendish idea

Science fiction editor John Campbell once pointed out that chemical and biological weapons were inefficient as long as they depended on some kind of artificial delivery vehicle. The best weapons, he argued, would be those that the victims would go out of their way to expose themselves to. For example, not that anyone meant it that way, when Europeans were fighting natives for posession of the Americas, each side weakened the other using a toxic chemical (tobacco in one direction, alcohol in the other) which addicted the victims as well as crippling them.

Some researchers have suggested applying the same principle to computer viruses. Their theoretical design for a truly evil virus would offer people control over previously infected computers, in exchange for permission to install a little "viewer program" which of course would be the same virus that infected the other computers.

Thursday, June 22, 2006

Oh, wonderful. Something new to worry about

Someone from a security firm, and a student at the U.S. Naval postgraduate school in Monterey, California, found a security bug that could worry anybody with a wireless card.

They discovered that if they sent a particular sequence of wireless data they could take over the computer which received the data. The computer doesn't even have to be attached to a network -- this hole is open as lng as the networki card is turned on.

It's a bug in one manufacturer's software. Owners of other wireless cards don't need to worry (yet; I expect more problems like this one). Unfortunately, the people who discovered this aren't saying who the affected manufacturer is. They're saving that for a public announcement at an upcoming security conference. Presumably they've let the manufacturer know so as to give them time to fix it.

Someday soon, you may hear about a fix to software for some brand of wireless card (watch this space). There will be some way for you to upgrade. When that happens, upgrade. Bad guys will look at the fix and reason backwards to what the problem was. Then they'll build nasty software to take advantage of the problem. They probably won't hang out in coffee shops waiting for people to infect: they'll probably build the attack into existing viruses as yet another way for them to spread.

Tuesday, June 20, 2006

Just for fun, all the security news you'll ever need

Remember the Dilbert cartoon where Dogbert put together a generic newspaper? It had headlines like "Violence in Mideast" and "Pope denounces immorality". Dogbert charged a thousand dollars a copy, since it would never grow stale and you'd never need to buy another.

Sunday, June 18, 2006

Why you should care about an attack targeting only one company

The attack is an Excel spreadsheet, possibly arriving as an email attachment, and named okN.xls. If anyone opens it, it uses a security vulnerability in Excel to take over the computer and download more malicious code. Whoever's doing this cunningly started doing it right after Microsoft's monhly patch day, so they'll have a full month before Microsoft makes their attack impossible.

The Excel vulnerability exploit is targeting only one organization, according to published reports.

This has implications. One of the most important is that antivirus software is going to be less useful. Antivirus companies depend on nasty software spreading widely enough for the company to get a sample and write a rule for detecting it. That's not going to happen with a piece of malware that doesn't spread outside a particular company and which doesn't call attention to itself.

You'll need to do two things. One is to look for the words "heuristic" or "behavior-based" when you're shopping for antivirus. They refer to technology which may detect a previously unknnown virus (at the cost of more false alarms). The other, which is more direct, is to stop opening files without knowing who they're from and why you're getting them.

Friday, June 16, 2006

$100 anti-everything devices for your entire network

Businesses with hundreds of computers often spend thousands of dollars on special-putpose computers that just filter spam, or check for viruses, and so on.

Everything in the computer industry eventually gets cheaper and shows up in the consumer market. Now there are a couple of boxes that cost about $100 and promise to protect your entire home network against viruses, spyware, and the other maladies you risk on the Internet. Think "firewall on steroids" or "the Swiss Army knife of security".

How good are they? I haven't tested either one. One worry I have is whether the devices themselves have security vulnerabilities. Consumer-grade appliance boxes like these have a discouraging track record for problems that let outsiders take them over. D-Link has had plenty. A security problem could be really bad because these boxes have a feature to thwart spyware by scanning your outgoing traffic for sensitive information like credit card numbers. Which means the devices need to have a list of sensitive information. Which means that anyone who can take over your security appliance has all your sensitive information neatly collected in one convenient place.

It's also important to remember that they protect against Internet threats. Unlike antivirus software on your computer, they won't protect against malicious software that gets physically loaded. For example, remember the Sony CD scandal where inserting the CD installed hidden software that jeopardized your security? These devices can't, and aren't designed to, detect threats like that.

Oh, and you can probably get one for about $80, but you'll spend that much every year on updates, which you can't do without because of the rapid appearance of new viruses and spyware.

If you're a small business, test one under load before you commit. One of the easiest ways for a vendor to cut corners would be to ship a device that can't quite keep up with the full speed of your Internet connection.

"Are you going to give me a recommendation already", you fairly ask. Wait and see. Maybe install one on a test network. Keep an eye out for independent reviews.

Thursday, June 15, 2006

MSN users: beware ""jaja look a that" or "mira este video""

This is the message a really nasty piece of software sends out on MSN Messenger asking you to download it. It pretends to be a movie, but if you run it, it will send IMs to all your contacts tellig them to download it. Meanwhile, it will have disabled your antivirus software and wrecked several of the built in Windows tools that would be needed for removing it.

If you get a message like that inviting you to download a movie named Fantasma from a web page somewhere, don't take the bait. It's unclear from the published accounts whether there's a real movie that triggers a security flaw in the movie player software, or whether it's just a regular program that people are clicking on without looking.

While you wait for Yahoo to put in a real fix, you could try blocking email from av3@yahoo.com or email with the subject "New Graphic Site". This won't work for long: the people who write things like this can adapt easily.

A painful but more effective approach is to turn off Javascript. Yahoo mail should then tell you to turn Javascript back on or to switch to an older and less functional version of Yahoo! Mail. Do the latter. The problem is that when this problem is finally solved and it's safe to swtich Javascript back on, Yahoo! may not sense that you've done it. There's a conflict with Norton Internet Security, see, and -- stop, don't go away, if you think that's more trouble than it's worth then try the blocking approach mentioned above. Otherwise, if you can't get Yahoo! to realize you've turned Javascript back on and if you're running NIS, then log out of Yahoo! Mail, turn off NIS, log into Yahoo! Mail, and turn NIS back on. I am not making this up: credit to a user at wembasterworld.com named directrix.UPDATE 6/13:According to one report, Yahoo! has released a fix. This should take care of it automatically with no need for action on your part.

A scam that sometimes begins in chat rooms

What can possibly go wrong with helping that cute man or woman in Nigeria, the one who's been complimenting you and sending you flowers, to get a shipment from a US company that doesn't take international orders? All you have to do is accept the shipment at your address, rewrap it, and FedEx it to Nigeria.

Well, of course the Nigerian placed the order with a stolen credit card, which means the paper trail points straight to you if someone makes a criminal case out of it.

Don't you feel sorry for honest people who live in Ghana or Nigeria? They're being cut off from the rest of the world, and they can't even work around the problem because the crooks have gotten to the workaround first.

Saturday, June 10, 2006

Natural disaster prep is security, too

How well would your business do in a Katrina-type situation?Remember that the slow hurrican cycle is about due to send storms to the Atlantic coast, so you need to think about this even if you are not in a Gulf state.

Don't figure on riding a disaster out in place. Even if your office is not under water, it won't have power. If you have a generator, you can't count on Internet access. And so on, even if all your employees didn't evacuate to Red Cross shelters in another state.

The first thing to think about is where you're going to resume operations. Plan this one in advance. Then work out which of your business activities are really critical. Everyone will claim their own job is vital, of course. Remember to allow for how long the disruption will last, and that it will be longer than you expect.

Then figure out how you're going to restart operations. Where are your backups? Offsite, I hope, but does that mean in an employee's home? What about all the licensed sofware you use? Do you have the license keys?

Friday, June 09, 2006

Microsoft Patch Day is coming!

This looks like a serious but not spectacular one. There are only a few critical patches for June. Install right away, but don't panic (unless the problems turn out to be worse than we know).UPDATE 6/13:It's here, it's big, and it's important. There are multiple vulnerabilities of the sort that allow remote takeover of your computer. Some are in Internet Explorer (yawn) but others are in Word and Powerpoint.

I don't recommend panic yet, but remember it takes less than a week for bad guys to look at the fix, figure out what the problem must have been,and develop an attack. Install this set right away.

UPDATE 6/14:Did I say "less than a week"? Attack code is circulatingnow. I'm not quite at the point of recommending panic but definitely drop what you're doing and run Windows Update if you haven't got it on automatic.

As Microsoft sees it, the three most critical are one which allows malicious web sites to take over your computer (but not if you're running an alternative browser), one in which you could lose control of your computer by looking at a picture from AOL in their "ART" format, and another set of Internet Explorer vulnerabilities.

News story about malware, supposed to be funny

There's no story there. Steve Ballmer is a CEO and not a repair technician.

The story starts getting interesting when Ballmer took the PC back to Microsoft and had some engineers work on it. They couldn't disinfect it. That's a tribute to how vicious malware is these days, but that's still now news. Microsoft already recommends erasing infected machines and reinstalling Windows ("Hello? My house has cockroaches." "Have you tried burning it to the ground and rebuilding?").

The real story is the company response:

Among the problems was a program that automatically disabled any antivirus software.

"This really opened our eyes to what goes on in the real world," [vice president]Allchin told the audience.

Microsoft does have a problem with being isolated from industry news and trends (they almost missed the Internet), but this is ridiculous. Their home customers have been seeing this for years, their corporate customers have been spending big money on problems like this, the industry press has been reporting on unremovable malware, and you know about malware that disables antivirus because you've read about it here. The most notorious removal-resistant malware, CoolWebSearch, has been in circulation for three years as of last month.

They must know better. They have to. They bought an antivirus firm years ago. They bought an antispyware company in 2004.

Enough ranting, time for advice. Keep backups of your data in case you have to start over, and remember that your email does not live in My Documents, but in Application Data. Keep the Windows installation disk handy if you were lucky enough to get one. Find some handy storage for the install disks for the software you depend on. Don't download software from weird places. Limit your use of Internet Explorer to Windows Update and to sites that absolutely require it and that you need to visit to make a living.

Monday, June 05, 2006

How bad is the credit card theft problem?

There is actually a way to answer this. When viruses, trojans and other infective software on your machine get hold of a credit card number, they send it to a drop someplace where the bad guy can retrieve it. Study the software or watch the network traffic and you can find out where the drop is, and maybe see how much is going into it.

Lance James of Secure Sciences, author of a book about phishing, has done just that, and mentioned his findings on a security mailing list recently. What kind of numbers is he seeing?

Sunday, June 04, 2006

The problem with government databases

Privacy advocates talk in lofty abstractions and most people don't see what their point is.

One concrete problem with the government building dossiers on us is that the information tends to stop being "government" information before too long. The Veteran's Administration just had 26.5 million records slip out of their custody, including dates of birth and Social Security numbers.

Statistical analysis software is an everyday tool that's easy to find, and besides, apply a little logic: doesn't it seem likely that the employee who took the laptop home to work on the data also had the software to work on the data?

UPDATE 6/29:

The government got the laptop back! Nobody's saying how.

The VA is trying to fire the analyst who took all the information home. They accuse him of negligence. It turns out, though, theat he reported the theft immediately but the VA sat on the report for weeks. It also turns out that he didn't just walk out the door with the data: he asked for, and received, written permission on three occasions to take personal data and software home.AP story about VA laptop.

Friday, June 02, 2006

Physical security: how many terrorists are there?

Tough question: it's not like you can do a survey.

It can't be all that many. Look how much damage and loss of life 19 caused. But add in finance guys, safehouse operators, and recruiters. Then add instructors for the training campe, and figure there are enough going through to make it worthwhile to keep training camps open.

So, speculating, more than hundreds, but not too many thousands. If there were as many as ten thousand fanatical mass murderers out there eager to cause mass casualties, we'd be hurting bigtime.

The hazards of lists are that it's easy to put people on them, but ,not easy to take them off; all the incentives are to make lists long so as to justify funding; everyone will think the list is authotitative; and people will use the information to decide whether to shoot you seven times in the head.

Thursday, June 01, 2006

mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw : it may save your data

Bad guys keep running a scam in which they encrypt your data and demand money in exchange for the key to decrypt it.

There's a recent Trojan Horse called Archiveus that does this. Nobody seems to know how you get it.

Antivirus firm Sophos is getting the credit for taking the nasty software apart and finding out what magic sequence of letters and numbers you have to type in to get your data back. It's the gibberish in the subject line.

Odds are you won't need this information: restoring from backup works just as well, and the malware doesn't seem to have spread widely.